If You’re Not First, You’re Last - Risks of Delaying CaCPA Compliance

Overview of CaCPA

Privacy continues to span headlines with endless coverage of personal data misuse scandals by household-name companies, highlighting their unethical data management practices. Simultaneously, optimistic privacy advocates across the U.S. campaigned for reasonable online privacy standards and corporate accountability. With powerful momentum, California’s Consumer Privacy Act (CaCPA) was passed on June 28th, 2018 with the goal of increasing transparency, access, and control over an individual’s personal information while handing out considerable penalties to organizations for infringement of the Act’s provisions.

As a result of the Act’s introduction, enterprises must now place particular emphasis on the time sensitive processes required for responding to an individual’s information (access) requests. And while it’s likely that enterprises anticipate full alignment with the CaCPA’s requirements before the July 1, 2020 enforcement date, compliance relies not only on already established processes instituted for other privacy obligations (i.e. GDPR). It hinges on the ability to design and maintain accurate data registers that contain a detailed catalog of the organization data collection, selling, and disclosure activities performed over the previous 12 months.

This post explains, from a privacy practitioners’ perspective, why enterprises shouldn’t delay the development of scalable data inventories and data mappings to help comply with CaCPA’s 1798.130’s requirements for providing requesting individuals with a trailing 12-month snapshot of their data usage.

The Twelve-Month Lookback Period

While the CaCPA’s textual requirements detailing the 12-month lookback period may not stand out during a first read through, it is important to highlight where this requirement exists and why it has been included in the Act.

The term “12 months” can be found 15 times within the Act. For purposes of this analysis we will focus on the requirements described under 1798.130; addressing an enterprises obligation to “disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer.” As further specified under this section, three specific cases are detailed in which the trailing 12-month period would apply, including:

Personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision

Personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in subdivision.

Personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision.

Like most, you may be wondering why the 12-month period is stipulated at all. For this, we need to briefly visit the fundamentals of the Act, including relevant events that prompted for the privacy reform. As stated early, and commonly called out in other mandatory and/or voluntary privacy legislation (i.e. GDPR, APEC, OECD), transparency is a critical element of legitimate business relationships. At the same time, consumers may not read an organizations privacy notice with a pair of legal lenses, but do have reasonable expectations around the usage and processing of their data. With this, enterprise accountability around data usage has taken the spotlight to avoid deceptive, unfair, or illegal data collection, processing, and sharing arrangements, such as the negligence found under the recent Facebook / Cambridge Analytica case.

For enterprises having a baseline data processing registers due to EU’s GDPR, a formal review should occur to validate its effectiveness of the current documentation in accordance with the CaCPA. Where no prior preparation has taken place, management should immediately organize a cross-functional team to identify all points of data collection, data sharing activities, and any cases for disclosure.

Poor or no planning for building and maintaining data registers also has its own associated risks. While organizations may consider an ad-hoc approach for managing consumer (or data subject) requests with little preparation, the enterprise exposes itself to real legal action by CA’s AG and individuals alike.

Key Definitions from the Lookback

Equally important to the formal consumer response processes is having a strong understanding of the personal data processing environment. In accordance with the 12-month lookback and for purposes of exposing the necessary personal information required in a consumer response, the following terms should be clearly understood to ensure an accurate facilitation of consumer inquiries in accordance with the Act:

Collecting

Selling

Disclosing for Business Purposes

Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

The use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.

Too late to start preparing?

The CaCPA will be effective on January 1, 2020. Vigilant organizations should be prepared to provide consumers with details regarding the previous year’s data collection, sales, or disclosure activities on that date (i.e., from January 1, 2019).

Additionally, enterprises should be aware of the dates for which California’s AG can enforce the CaCPA. Specifically, the Act states that “The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.” As stated, enforcement is dependent on the AG’s final publication of the Act, which hinges on the AG’s timeline for issuing adoption and implementation guidance to the Act’s requirements.

Am I covered by GDPR’s Record of Processing Activities?

While the CaCPA is not a replica of the GDPR, there are similarities in their requirements. The GDPR’s Article 30 Record of Processing Activities (RoPA) could be a good start for meeting the disclosure requirements under 1798.130. As a point of consideration, the below table refers to GDPR’s Article 30(1) and is relevant to Data Controllers. Organizations may use the same logic when evaluating the applicability under Article 30(2) for processor responsibilities.

Let’s take a look at the specific requirements between the two pieces of legislation to identify what can be leveraged:

Similarities

GDPR

CaCPA

a. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

Yes, where it describes the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes.

Relevant Sections: 1798.140(e), 1798.140(t), 1798.140(d)

c. a description of the categories of data subjects and of the categories of personal data;

Yes, where it is accurate, maintained, and captures all categories of personal information for at least 12 months.

Relevant Sections: 1798.140(e), 1798.140(t), 1798.140(d)

d. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;

Yes, where it describes all instances where the personal data categories have been sold or disclosed for business purposes.

Relevant Sections: 1798.140(t), 1798.140(d)

Differences

GDPR

CaCPA

e. where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

While useful for interrelated CaCPA/GDPR areas, they are not specifically required for a CaCPA verified consumer response.

f. where possible, the envisaged time limits for erasure of the different categories of data;

g. where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

While the GDPR’s record of processing activities requirement can be leveraged to aid in the preparation for the CaCPA 12-month lookback requirement, the CaCPA and GDPR are inherently different due to scope. An analysis should be performed on the existing documentation before considering this obligation fulfilled.

Conclusion

The CaCPA mandates that organizations provide consumers with an accurate look-back at the data that was collected, sold, or disclosed during the business relationship or service delivery. Organizations should avoid the temptation to rely solely on existing processes resulting from the GDPR without further analysis or not preparing at all. Prior to the effective date in January 2020, businesses should take the opportunity to develop a comprehensive data inventory to ensure that all relevant personal information assets are identified in accordance with CaCPA’s new requirements. At the same time, it’s important that this process can scale with business operations to ensure both internal and external visibility and consistency while data collection, sharing, and sales operations change. Due to the increased focus on data privacy and the implications of the regulatory environment, early preparation will pay off in the form of a well-trusting customer base; and, through the intrinsic, marketplace advantage offered to those who establish themselves as a reputable, privacy-conscious business partner.

About the Author

Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. Prior to joining Schellman, Kevin worked as a IT Compliance Manager, specializing in IT Security and Data Privacy compliance frameworks, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As a Senior Associate with Schellman, Kevin is focused primarily on data protection laws for organizations across various industries.